Domain Name System (DNS) Network Security Asset or Achilles Heel?

Slides:



Advertisements
Similar presentations
Network Systems Sales LLC
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Securing DNS Infrastructure Steven Barber | Principle Sales.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
SCADA Security, DNS Phishing
Domain Name System (DNS) Network Security Asset or Achilles Heel?
1 | © 2013 Infoblox Inc. All Rights Reserved. Protecting Critical Network Infrastructure Krupa Srivatsan | Senior Product Marketing Manager January 2014.
1 | © 2013 Infoblox Inc. All Rights Reserved. Securing External & Internal DNS Edward O’Connell | Sr. Product Marketing Manager February 2014.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Department Of Computer Engineering
Securing DNS Infrastructure
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Website Hardening HUIT IT Security | Sep
Norman SecureSurf Protect your users when surfing the Internet.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.
--Harish Reddy Vemula Distributed Denial of Service.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 | © 2013 Infoblox Inc. All Rights Reserved. Securing DNS Infrastructure Srikrupa Srivatsan | Senior Product Marketing Manager August 2014.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Security with AntiDDoS and AntiMalware for.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Logicalis Breakfast Briefing
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Common System Exploits Tom Chothia Computer Security, Lecture 17.
High performance recursive DNS solution
Security Issues with Domain Name Systems
TMG Client Protection 6NPS – Session 7.
Domain Name System (DNS) Network Security Asset or Achilles Heel?
DNS Security Advanced Network Security Peter Reiher August, 2014
DDoS Attacks on Financial Institutions Presentation
Chapter 7: Identifying Advanced Attacks
DNS Operation And Security Protection
CONNECTING TO THE INTERNET
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Real-time protection for web sites and web apps against ATTACKS
EN Lecture Notes Spring 2016
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Securing the Network Perimeter with ISA 2004
Exam Review.
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
DNS Cache Poisoning Attack
Firewalls.
DNS security.
DNS-Based DDoS Evolving Threat UKNOF Sept 2015 Manchester, UK
Security in Networking
CIS 333Competitive Success/tutorialrank.com
CIS 333 Education for Service-- tutorialrank.com.
Is Your Online Security Intelligent? Internet Performance Management
Network Security: IP Spoofing and Firewall
Proactive Network Protection Through DNS
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
AKAMAI INTELLIGENT PLATFORM™
Check Point Connectra NGX R60
Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.
Chapter 4: Protecting the Organization
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Cyber Security Challenges
Designing IIS Security (IIS – Internet Information Service)
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

Domain Name System (DNS) Network Security Asset or Achilles Heel? Arya Barirani, VP Product Marketing / Infoblox November 2014

Agenda What is DNS and How Does it Work? Threat Landscape Trends Common Attack Vectors Anatomy of an attack: DNS Hijacking Anatomy of an attack: Reflection Attack Anatomy of an attack: DNS DDoS How To Protect Yourself? Q & A

What is the Domain Name System (DNS)? Address book for all of internet Translates “google.com” to 173.194.115.96 Invented in 1983 by Paul Mokapetris (UC Irvine) Without DNS, The Internet & Network Communications Would Stop

How Does DNS Work? www.google.com Root DNS Server ISP DNS SERVER 173.194.115.96 Root DNS Server “That’s in my cache, it maps to: 173.194.115.96 173.194.115.96 “Great, now I know how to get to www.google.com” “Great, I’ll put that in my cache in case I get another request” “That domain is not in my server, I will ask another DNS Server” 173.194.115.96 “I need directions to www.google.com” ISP DNS SERVER

For Bad Guys, DNS Is a Great Target DNS is the cornerstone of the Internet used by every business/ Government DNS is fairly easy to exploit Traditional protection is ineffective against evolving threats DNS Outage = Business Downtime

The Rising Tide of DNS Threats Are You Prepared? In the last year alone there has been an increase of 200% 58% With possible amplification up to 100x DNS attacks1 DDoS attacks1 on a DNS attack, the amount of traffic delivered to a victim can be huge 28M 2M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2 With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 33M Number of open recursive DNS servers2 1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org

The Rising Tide of DNS Threats DNS attacks are rising for 3 reasons: Countries of origin for the most DDoS attacks in the last year China 1 Easy to spoof US Brazil Russia France India 2 Asymmetric amplification Germany Korea Egypt Taiwan 3 High-value target

DNS Attack Vectors

The DNS Security Challenges Securing the DNS Platform 1 Defending Against DNS Attacks DDoS / Cache Poisoning 2 Preventing Malware from using DNS 3

Anatomy of an Attack Syrian Electronic Army

Distributed Reflection DoS Attack (DrDoS) Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Combines reflection and amplification Internet Uses third-party open resolvers in the Internet (unwitting accomplice) Open Recursive Servers Spoofed Queries Attacker sends spoofed queries to the open recursive servers Reflected Amplified Packets Uses queries specially crafted to result in a very large response Attacker Causes DDoS on the victim’s server Target Victim

Anatomy of an Attack DNS DDoS For Hire DDoS attacks against major U.S financial institutions Launching (DDoS) taking advantage of Server bandwidth 4 types of DDoS attacks: DNS amplification, Spoofed SYN, Spoofed UDP HTTP+ proxy support Script offered for $800

The Rising Tide of DNS Threats TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS amplification: Use amplification in DNS reply to flood victim DNS cache poisoning: Corruption of a DNS cache database with a rogue address Protocol anomalies: Malformed DNS packets causing server to crash Top 10 DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server DNS attacks DNS based exploits: Exploit vulnerabilities in DNS software Reconnaissance: Probe to get information on network environment before launching attack DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack Fragmentation: Traffic with lots of small out of order fragments

Protection Best Practices

Advanced DNS Protection Help Is On the Way! DNSSEC Collaboration Dedicated Appliances RPZ Monitoring Advanced DNS Protection

Get the Teams Talking – Questions to Ask: Who in your org is responsible for DNS Security? What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? Would you know if an attack was happening, would you know how to stop it? Network Team Security Team IT Apps Team IT OPS Team

Hardened DNS Appliances Conventional Server Approach Hardened Appliance Approach Limited Port Access Threat Update Service Secure Access Multiple Open Ports Dedicated hardware with no unnecessary logical or physical ports No OS-level user accounts – only admin accts Immediate updates to new security threats Secure HTTPS-based access to device management No SSH or root-shell access Encrypted device to device communication Many open ports subject to attack Users have OS-level account privileges on server Requires time-consuming manual updates

Monitoring & Alert on Aggregate Query Rate

DNSSEC Fixes Kaminsky Vulnerability DNS Security Extensions Uses public key cryptography to verify the authenticity of DNS zone data (records) DNSSEC zone data is digitally signed using a private key for that zone A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone

Advanced DNS Protection Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Automatic updates Updated Threat-Intelligence Server Advanced DNS Protection (External DNS) Grid-wide rule distribution Advanced DNS Protection (Internal DNS) Data for Reports Reporting Server Reports on attack types, severity

Response Policy Zones - RPZ Blocking Queries to Malicious Domains An infected device brought into the office. Malware spreads to other devices on network. 1 4 Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain 2 Reputational Feed: IPs, Domains, etc. of Bad Servers 2 Internet Query to malicious domain logged security teams can now identify requesting end-point and attmept remediation DNS Server with RPZ Capability 3 Intranet Malware / APT Blocked attempt sent to Syslog 1 RPZ regularly updated with malicious domain data using available reputational feeds 4 3 2 Malware / APT spreads within network; Calls home

Call to Action DNS security vulnerabilities pose a significant threat Raise the awareness of DNS and DNS security vulnerabilities in your organization There are multitudes of resources available to help Seek help if needed to protect DNS

Take the DNS Security Risk Assessment Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats Provides DNS Security Risk Score and analysis based on answers given www.infoblox.com/dnssecurityscore This is a new Security Risk Assessment you can point your customers to any time. It’s on the external web site and customers such as Pep Boys, Twitter, and K-Mart have run assessments. Some major observations about customers in this context: Most don’t perform any security analysis on DNS traffic No team or person chartered with looking specifically at DNS security For those with on-premise external DNS servers no knowledge of how to handle DNS-based DDoS attacks Most of them use conventional DNS services (Microsoft or BIND) Possibly other services running on them Lots of open ports (security risks) Higher score = higher DNS security risk!!

(Fiscal Year Ending July 31) About Infoblox Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technology for network control Market leadership DDI Market Leader (Gartner) 50% DDI Market Share (IDC) 28% CAGR 7,500+ customers 74,000+ systems shipped to 100 countries 55 patents, 29 pending IPO April 2012: NYSE BLOX

Thank you! For more information www.infoblox.com